RE: Different IP Pool per proxied realm
Everything seems to be working fine with the new upgraded version of
Freeradius.
I've also made progress in assigning from an IP pool for a realm.
However it seems to be all or nothing, if the reply comes back with a
Framed-IP-Address already set it gets ignored if I set:
override = yes
in the IP pool section of radiusd.conf.
However some users are supposed to have a static IP address and some dynamic
IP assignment.
Those with no static set come back from with the reply:
Session-Timeout = 0
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Acct-Interim-Interval = 7200
Framed-Protocol = PPP
Service-Type = Framed-User
Proxy-State = 0x313832
Is there a way to tell Freeradius to only assign from the pool for the user
if the Framed-IP-Address comes back as 255.255.255.254?
Thanks
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 11 February 2008 20:42
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
Right I've now managed to get v2.0.1 working on our radius server.
Although for some reason its not logging to radiusd.log.
Previously we have logged accounting to the log file and the radacct
table.
If anyone can spare a thought on why this isn't now logging to the
radiusd.log file I would appreciate it.
File permissions? Also see the log{} configuration in radiusd.conf.
Onto the different IP pool per realm...
This still doesn't seem to work.
The debug doesn't show the IP pool being loaded.
Does this still need to be put into radiusd.conf or the sites-enabled
file?
You can put everything in radiusd.conf, just like in 1.1.7.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote:
Is there a way to tell Freeradius to only assign from the pool for the user
if the Framed-IP-Address comes back as 255.255.255.254?
$ man unlang
In 2.0.1:
if (%{proxy_reply:Framed-IP-Address} != 255.255.255.254) {
ippool
}
It's pretty much that easy...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote:
The only place I found reference to the IP Pool is in the site-enabled
config file. So I added:
if (%{proxy_reply:Framed-IP-Address} == 255.255.255.254) {
Sorry, that should be proxy-reply, not proxy_reply.
There is an error in the debug when a user tries to login, but it seems to
run the rule. But it still doesn't seem to assign from the IP pool.
Again, the debug output makes it clear what is happening:
...
+- entering group post-auth
++? if (%{proxy_reply:Framed-IP-Address} == 255.255.255.254)
WARNING: Unknown module proxy_reply in string expansion
Yup. That's a typo.
%{proxy_reply:Framed-IP-Address}
expand: %{proxy_reply:Framed-IP-Address} -
i.e. nothing.
? Evaluating (%{proxy_reply:Framed-IP-Address} == 255.255.255.254) -
FALSE
Nothing doesn't match the string 255.255.255.254.
Again, reading the debug output helps. There is no magic required to
see a WARNING, and conclude that maybe something is wrong.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
FROM usergroup WHERE
username = '%{SQL-User-Name}' ORDER BY id - SELECT groupname
FROM usergroup WHERE username = '[EMAIL PROTECTED]'
ORDER BY id
rlm_sql_mysql: query: SELECT groupname FROM usergroup
WHERE username = '[EMAIL PROTECTED]' ORDER BY id
rlm_sql (sql): Released sql socket id: 3
rlm_sql (sql): User [EMAIL PROTECTED] not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [EMAIL PROTECTED]/s3cr3t] (from client localhost port 111)
+- entering group post-auth
++? if (%{proxy_reply:Framed-IP-Address} == 255.255.255.254)
WARNING: Unknown module proxy_reply in string expansion
%{proxy_reply:Framed-IP-Address}
expand: %{proxy_reply:Framed-IP-Address} -
? Evaluating (%{proxy_reply:Framed-IP-Address} == 255.255.255.254) -
FALSE
++? if (%{proxy_reply:Framed-IP-Address} == 255.255.255.254) - FALSE
rlm_sql (sql): Processing sql_postauth
expand: %{User-Name} - [EMAIL PROTECTED]
rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]'
expand: %{User-Password} - s3cr3t
expand: INSERT INTO radpostauth (user,
pass, reply, date) VALUES (
'%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') - INSERT INTO radpostauth
(user, pass, reply, date) VALUES (
'[EMAIL PROTECTED]', 's3cr3t',
'Access-Accept', '2008-02-12 13:22:36')
expand: /usr/local/var/log/radius/sqltrace.sql -
/usr/local/var/log/radius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth
(user, pass, reply, date) VALUES (
'[EMAIL PROTECTED]', 's3cr3t',
'Access-Accept', '2008-02-12 13:22:36')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query: INSERT INTO radpostauth
(user, pass, reply, date) VALUES (
'[EMAIL PROTECTED]', 's3cr3t',
'Access-Accept', '2008-02-12 13:22:36')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
Sending Access-Accept of id 155 to 127.0.0.1 port 32791
Session-Timeout = 0
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Finished request 0.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 12 February 2008 12:41
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
I currently have this in radiusd.conf.
That is NOT the only reference to the ippool module. The IP's get
allocated *somewhere* via a reference to the main_pool module. You
must have edited the configuration files to do this, because it is *not*
enabled in the default configuration.
I've tried adding the statement before and inside this but even static
assigned users get an address from the pool.
Umm... please go read man unlang. It is a *policy* language for
*processing* packets. It does not apply to module configurations.
See the default configuration files for examples of how to use if().
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: I currently have this in radiusd.conf. That is NOT the only reference to the ippool module. The IP's get allocated *somewhere* via a reference to the main_pool module. You must have edited the configuration files to do this, because it is *not* enabled in the default configuration. I've tried adding the statement before and inside this but even static assigned users get an address from the pool. Umm... please go read man unlang. It is a *policy* language for *processing* packets. It does not apply to module configurations. See the default configuration files for examples of how to use if(). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: Where do I put this statement Where is your current ippool module referenced? and does override have to be yes or no? yes Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Where do I put this statement and does override have to be yes or no?
Thanks in advance
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 12 February 2008 10:33
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
Is there a way to tell Freeradius to only assign from the pool for the
user
if the Framed-IP-Address comes back as 255.255.255.254?
$ man unlang
In 2.0.1:
if (%{proxy_reply:Framed-IP-Address} != 255.255.255.254) {
ippool
}
It's pretty much that easy...
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
I currently have this in radiusd.conf.
ippool main_pool {
range-start = 10.0.0.1
range-stop = 10.0.0.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${sysconfdir}/raddb/db.ippool
ip-index = ${sysconfdir}/raddb/db.ipindex
override = yes
maximum-timeout = 0
}
I've tried adding the statement before and inside this but even static
assigned users get an address from the pool.
Thanks
Tony
-Original Message-
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 12 February 2008 11:17
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
Where do I put this statement
Where is your current ippool module referenced?
and does override have to be yes or no?
yes
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
The only other place the main ip pool is mentioned is in the site-enabled
file.
Within post-auth.
post-auth {
main_pool
sql
Post-Auth-Type REJECT {
attr_filter.access_reject
sql
}
}
I'll try and see if I can work it out by man unlang if not then I maybe
posting back.
Sorry...
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 12 February 2008 12:41
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
I currently have this in radiusd.conf.
That is NOT the only reference to the ippool module. The IP's get
allocated *somewhere* via a reference to the main_pool module. You
must have edited the configuration files to do this, because it is *not*
enabled in the default configuration.
I've tried adding the statement before and inside this but even static
assigned users get an address from the pool.
Umm... please go read man unlang. It is a *policy* language for
*processing* packets. It does not apply to module configurations.
See the default configuration files for examples of how to use if().
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008
12:21
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Right I've now managed to get v2.0.1 working on our radius server. Although for some reason its not logging to radiusd.log. Previously we have logged accounting to the log file and the radacct table. If anyone can spare a thought on why this isn't now logging to the radiusd.log file I would appreciate it. Onto the different IP pool per realm... This still doesn't seem to work. The debug doesn't show the IP pool being loaded. Does this still need to be put into radiusd.conf or the sites-enabled file? Thanks Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 11 February 2008 13:39 To: FreeRadius users mailing list Subject: Re: Different IP Pool per proxied realm Tony Spencer wrote: We are running freeradius on Centos and the most supported package that gets installed by yum update is freeradius-1.0.1-3.RHEL4.5, which I now have installed. Ugh. I've tried to upgrade by downloading the latest version, 2.0.1. Although it builds and installs it doesn't seem to try to connect to my SQL database. When I start the old version with -X I see a lot of mention of sql. But version 2.0.1 started with -X doesn't seem to say anything apart from its loading the sql.conf file. Am I missing something here? If you have built 2.0.1 with SQL *and* configured the SQL module in radiusd.conf sites-available/default, it *should* work. My guess is that the server wasn't built with SQL, and that you haven't edited the configuration files to enable SQL. So far as the rest of the debug output goes, 1.0.1 is *years* out of date. I no longer remember what it does, or what quirks it has with respect to IP pools. If that is the only version that Redhat supports, then I suggest calling them and asking them for support. Or, use 2.0.1, which will be much easier to configure debug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.516 / Virus Database: 269.20.2/1270 - Release Date: 10/02/2008 12:21 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: We are running freeradius on Centos and the most supported package that gets installed by yum update is freeradius-1.0.1-3.RHEL4.5, which I now have installed. Ugh. I've tried to upgrade by downloading the latest version, 2.0.1. Although it builds and installs it doesn't seem to try to connect to my SQL database. When I start the old version with -X I see a lot of mention of sql. But version 2.0.1 started with -X doesn't seem to say anything apart from its loading the sql.conf file. Am I missing something here? If you have built 2.0.1 with SQL *and* configured the SQL module in radiusd.conf sites-available/default, it *should* work. My guess is that the server wasn't built with SQL, and that you haven't edited the configuration files to enable SQL. So far as the rest of the debug output goes, 1.0.1 is *years* out of date. I no longer remember what it does, or what quirks it has with respect to IP pools. If that is the only version that Redhat supports, then I suggest calling them and asking them for support. Or, use 2.0.1, which will be much easier to configure debug. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Different IP Pool per proxied realm
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
CHAP-Password = 0xb2cd36a39f414e084ae6ab6da5719886f7
NAS-Port-Type = Virtual
NAS-Port = 2548
NAS-Port-Id = Uniq-Sess-ID2548
Connect-Info = 4522000/1000
Service-Type = Framed-User
NAS-IP-Address = 192.168.1.88
CHAP-Challenge = 0x0119ec26782b0c7dd878fb54c30f5859
Proxy-State = 0x323435
Waking up in 5 seconds...
rad_recv: Access-Accept packet from host 88.20.106.18:1645, id=1, length=107
Class =
0x5342522d434c20444e3d22323032343331222041543d22323030222055533d2053493d
22323839302200
Session-Timeout = 0
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Acct-Interim-Interval = 7200
Framed-Protocol = PPP
Service-Type = Framed-User
Proxy-State = 0x323435
Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 14
radius_xlat:
'/var/log/radius/radacct/192.168.1.88/post-proxy-detail-20080211'
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.1.88/post-proxy-detail-20080211
modcall[post-proxy]: module post_proxy_log returns ok for request 14
modcall: group post-proxy returns ok for request 14
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
modcall[authorize]: module preprocess returns ok for request 14
rlm_chap: WARNING: Auth-Type already set. Not setting to CHAP
modcall[authorize]: module chap returns noop for request 14
modcall[authorize]: module mschap returns noop for request 14
rlm_realm: Proxy reply, or no User-Name. Ignoring.
modcall[authorize]: module suffix returns noop for request 14
modcall[authorize]: module eap returns noop for request 14
users: Matched DEFAULT at 1
modcall[authorize]: module files returns ok for request 14
radius_xlat: '[EMAIL PROTECTED]'
rlm_sql (sql): sql_set_user escaped user -- '[EMAIL PROTECTED]'
radius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '[EMAIL PROTECTED]' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 20
rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '[EMAIL PROTECTED]' ORDER BY id
rlm_sql (sql): User [EMAIL PROTECTED] not found in radcheck
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id'
rlm_sql_mysql: query: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupche
ck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupcheck.GroupName ORDER BY radgroupcheck.id
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql_mysql: query: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgrouprep
ly.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE
usergroup.Username = '[EMAIL PROTECTED]' AND usergroup.GroupName =
radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): User [EMAIL PROTECTED] not found in radgroupcheck
rlm_sql (sql): User not found
rlm_sql (sql): Released sql socket id: 20
modcall[authorize]: module sql returns notfound for request 14
modcall: group authorize returns ok for request 14
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [EMAIL PROTECTED]/CHAP-Password] (from client 7304 port
2548)
Sending Access-Accept of id 245 to 192.168.1.88:1645
Class =
0x5342522d434c20444e3d22323032343331222041543d22323030222055533d2053493d
22323839302200
Session-Timeout = 0
Framed-IP-Address = 255.255.255.254
Framed-IP-Netmask = 255.255.255.255
Acct-Interim-Interval = 7200
Framed-Protocol = PPP
Service-Type = Framed-User
Finished request 14
Thanks in advance
Tony
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: 09 February 2008 16:06
To: FreeRadius users mailing list
Subject: Re: Different IP Pool per proxied realm
Tony Spencer wrote:
We are using FreeRADIUS Version 1.0.1
Why?
I would suggest upgrading. The newer versions have a LOT more
features, and make this kind of configuration much easier.
But when the user logs in they get assigned an IP from the NAS and not
from
the IP Pool.
Am I doing something wrong?
The debug log should explain what the server is sending back
Re: Different IP Pool per proxied realm
Tony Spencer wrote:
Right I've now managed to get v2.0.1 working on our radius server.
Although for some reason its not logging to radiusd.log.
Previously we have logged accounting to the log file and the radacct table.
If anyone can spare a thought on why this isn't now logging to the
radiusd.log file I would appreciate it.
File permissions? Also see the log{} configuration in radiusd.conf.
Onto the different IP pool per realm...
This still doesn't seem to work.
The debug doesn't show the IP pool being loaded.
Does this still need to be put into radiusd.conf or the sites-enabled file?
You can put everything in radiusd.conf, just like in 1.1.7.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different IP Pool per proxied realm
Tony Spencer wrote: We are using FreeRADIUS Version 1.0.1 Why? I would suggest upgrading. The newer versions have a LOT more features, and make this kind of configuration much easier. But when the user logs in they get assigned an IP from the NAS and not from the IP Pool. Am I doing something wrong? The debug log should explain what the server is sending back. But if you're using 1.0.1, I would suggest upgrading before posting the debug log. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
